Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Associating pre-existing Security Group Rules to resource.aws_security_group_rule #742

hashibot opened this issue Jun 13, 2017 · 2 comments


Copy link

@hashibot hashibot commented Jun 13, 2017

This issue was originally opened by @nateww as hashicorp/terraform#14207. It was migrated here as part of the provider split. The original body of the issue is below.

Terraform Version

We're using 0.8.8, but the behavior is identical in 0.9.3/0.9.4

Affected Resource(s)

resource.aws_security_group and resource.aws_security_group_rule

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

TF file representing an existing AWS security group

resource "aws_security_group" "prod_stuffs" {
  vpc_id      = "${var.aws_vpc}"
  name        = "Security Group for Production Stuff"
  description = "Allows access to stuff"

  tags {
    Terraform   = "true"

# No Egress rules are necessary since these are added to existing nodes

resource "aws_security_group_rule" "stuff_allow_tcp" {
  type              = "ingress"
  from_port         = 12345
  to_port           = 12345
  protocol          = "tcp"
  cidr_blocks       = "${list(lookup(var.subnets_cidrs, "yellow"))}"
  security_group_id = "${}"

I'd like to add a new rule, so I appened the following to the end of the above file:

resource "aws_security_group_rule" "stuff_allow_icmp" {
  type              = "ingress"
  from_port         = 8
  to_port           = 0
  protocol          = "icmp"
  cidr_blocks       = "${list(lookup(var.remote_cidrs, "other-vpc"))}"
  security_group_id = "${}"

Expected Behavior

We manually added the above rule (as well as an egress rule that allows all traffic).

Because of already reported issues with TF and AWS security groups (and that fact that we've been bitten hard by these bugs in the last few months), we will NOT use TF to modify either security groups and rules nor apply security-group to resources, which leaves our instances with the inability to communicate and our services. fail.

Therefore, we added our new rule manually via the AWS CLI. However, there is no way to associate the newly added rule to TF. TF knows the new rules exist, but it neither reports that the security-group is out-of-sync with TF, nor do I know to associate the above rule with the existing SG.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. Create Security Group using Terraform
  2. Realize that Security Group needs new rules
  3. Manually add the new rule to the existing SG using the AWS CLI
  4. Edit the TF file that was used to create the SG by adding a new rule, and attempt to associate the newly added resource.aws_security_group_rule to the AWS rule.

In addition, we have new rules in place on the security group, and I would have expected TF to complain about existing rules that should be removed as they are not represented in the definition files provided to terraform.

Note, here is the (redacted) output of the terraform state, which shows both the existing and new rules, of while only one matches the TF files.

% terraform state show aws_security_group.prod_stuffs
id                                            = sg-15b3096e
description                                   = Allows profile access to stuff
egress.#                                      = 1
egress.482069346.cidr_blocks.#                = 1
egress.482069346.cidr_blocks.0                =
egress.482069346.from_port                    = 0
egress.482069346.prefix_list_ids.#            = 0
egress.482069346.protocol                     = -1
egress.482069346.security_groups.#            = 0
egress.482069346.self                         = false
egress.482069346.to_port                      = 0
ingress.#                                     = 3
ingress.2145115223.cidr_blocks.#              = 1
ingress.2145115223.cidr_blocks.0              =
ingress.2145115223.from_port                  = 8
ingress.2145115223.protocol                   = icmp
ingress.2145115223.security_groups.#          = 0
ingress.2145115223.self                       = false
ingress.2145115223.to_port                    = -1
ingress.3696632892.cidr_blocks.#              = 1
ingress.3696632892.cidr_blocks.0              =
ingress.3696632892.from_port                  = 19389
ingress.3696632892.protocol                   = tcp
ingress.3696632892.security_groups.#          = 0
ingress.3696632892.self                       = false
ingress.3696632892.to_port                    = 19389
ingress.4127962015.cidr_blocks.#              = 0
ingress.4127962015.from_port                  = 19389
ingress.4127962015.protocol                   = tcp
ingress.4127962015.security_groups.#          = 1
ingress.4127962015.security_groups.2968368645 = sg-a720c8c8
ingress.4127962015.self                       = false
ingress.4127962015.to_port                    = 19389
name                                          = Security Group for Production Profile
owner_id                                      = 382513426234
tags.%                                        = 3
tags.Environment                              = staging
tags.Name                                     = Production Profile Proxy Security Group
tags.Terraform                                = true
vpc_id                                        = vpc-asdfasdfadf


hashicorp/terraform#12252 - We've switched to using separate aws_security_group_rule and aws_security_group_rule for both documentation purposes, and because of this.

Copy link

@github-actions github-actions bot commented Apr 1, 2020

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!


@github-actions github-actions bot added the stale label Apr 1, 2020
@github-actions github-actions bot closed this May 1, 2020
Copy link

@ghost ghost commented Jun 2, 2020

I'm going to lock this issue because it has been closed for 30 days . This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!


@hashicorp hashicorp locked and limited conversation to collaborators Jun 2, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants